This invention relates generally to network computing systems, and in particular to remotely managed computers. Still more particularly, the present invention relates to a method and system for dynamically repairing or immunizing a client computer from a computer virus. The invention forces the client computer to contact only a pre-authorized anti-virus server to receive an anti-virus fix for the computer virus under various modalities.
One area of background entails virtual machines and virtual machine monitors which arose out of the need to run applications written for different operating systems concurrently on a common hardware platform, or for the full utilization of available hardware resources. Virtual machine monitors were the subject of research since the late 1960's and came to be known as the “Virtual Machine Monitor” (VMM). Persons of ordinary skill in the art are urged to refer to, for example, R. P. Goldberg, “Survey of Virtual Machine Research,” IEEE Computer, Vol. 7, No. 6, 1974. During the 1970's, as a further example, International Business Machines Corporation adopted a virtual machine monitor for use in its VM/370 system.
A virtual machine monitor, sometimes referred to in the literature as the “hypervisor,” is a thin piece of software that runs directly on top of the hardware and virtualizes all the hardware resources of the machine. Since the virtual machine monitor's interface is the same as the hardware interface of the machine, an operating system cannot determine the presence of the VMM. Consequently, when the hardware interface is one-for-one compatible with the underlying hardware, the same operating system can run either on top of the virtual machine monitor or on top of the raw hardware. It is then possible to run multiple instances of operating systems or merely instances of operating system kernels if only a small subset of system resources are needed. Each instance is referred to as a virtual machine. The operating system can be replicated across virtual machines or distinctively different operating systems can be used for each virtual machine. In any case, the virtual machines are entirely autonomous and depend on the virtual machine monitor for access to the hardware resources such as hardware interrupts.
Another area of background involves viruses. While early computers were “stand alone” and unable to communicate with other computers, most computers today are able to communicate with other computers for a variety of purposes, including sharing data, e-mailing, downloading programs, coordinating operations, etc. This communication is achieved by logging onto a Local Area Network (LAN) or a Wide Area Network (WAN). While this expanded horizon has obvious benefits, it comes at the cost of increased exposure to mischief, particularly from viruses.
A virus is programming code that, analogous to its biological counterpart, usually infects an otherwise healthy piece of code. The virus causes an undesirable event, such as causing the infected computer to work inefficiently, or else fail completely. Another insidious feature of many viruses is their ability to propagate onto other computers on the network.
The four main classes of viruses are file infectors, system (or boot-record) infectors, worms and macro viruses. A file infector attaches itself to a program file. When the program is loaded, the virus is loaded as well, allowing the virus to execute its mischief. A system infector infects a master boot record in a hard disk. Such infection will often make the hard drive inoperable upon a subsequent re-boot, making it impossible to boot-up the computer. A worm virus consumes memory or network bandwidth, thus causing a computer to be non-responsive. A macro virus is among the most common viruses, and infects word processor programs.
Another common type of virus is aimed at browsers and e-mail. One such virus causes a Denial of Service (DoS) attack. A DoS virus causes a website to become unable to accept visitors. Usually, such attacks cause the buffer of the website to overflow, as a result of millions of infected computers being forced (unwittingly) to hit the website.
To counter viruses, anti-viral programs are written, and are constantly updated to be effective against new viruses. Such anti-viral programs are delivered either on physical media (such as CD-ROMs), or are downloaded off a network such as the Internet. Updates are typically downloaded as well, in order to provide rapid deployment of such updates. Such updates have problems and limitations, however. The most significant limitation is that such an update may not be downloadable if the client computer is already infected. That is, if the client computer has already been infected with a virus such as a system infector, then the computer will be completely unable to boot from its primary operating system, much less download an anti-viral program. Similarly, if the client computer is already infected with a worm virus, then the client computer will be non-responsive and unable to download the anti-viral program.
Another limitation is that the client computer is exposed to the network while downloading the anti-viral program. In the case of rapidly spreading viruses, this exposure can be critical, causing the client computer to be infected while looking for and/or downloading the necessary anti-viral program.
Another limitation is that downloading a software fix from an anti-viral program server requires user intervention or user action, such as accepting the download, selecting a drive and location to store the download, running the fix, often re-booting the computer after running the fix, et al. Many times the end user of the client computer will ignore a prompt or offer to download a fix, or will fail to manually perform an update check, thus leaving infected clients on a network, thus causing other client computers on the network to become infected.